It's interesting to try to imagine a device that would prevent that, without causing more issues.
My preliminary idea is a "fuel bladder" for take-off that inflates with enough fuel to get the plane to a recoverable altitude, maybe a few thousand feet?
It’s a pointless exercise though - if one of the pilots wants to crash the plane, there’s almost nothing that can possibly be done. Only if someone can physically restrain them and remove them from the controls.
There’s always going to be many ways they could crash the plane, such a feature wouldn’t help. The pilots are the only people you can’t avoid fully trusting on the plane.
It's only pointless if we assume crashing was the intended result of the pilot. If the switches failed, or the pilot activated the switches by mistake, it's worth considering options for handling the inputs.
There's a balance of accidents to be found, I think. There are likely cases where fuel does need to be cut off to both engines, and preventing that would lead to accidents that might have been recoverable. This case shows that cutting off fuel to both engines during takeoff is likely unrecoverable. There have been cases where fuel is cutoff to the wrong engine, leading to accidents. Status quo might be the right answer, too.
So basically we need software that can 100% autonomously fly a plane. Software that is extremely reliable and trustworthy, basically. Software with multiple fallback options. Multiple AI agents verifying every action this software takes. Plus, ground-based teams monitoring the agents and the autonomous flight software.
> Again, it’s probably pointless but it’s an interesting thought exercise.
Coming up with ad-hoc solutions is easy, especially the less you know about a complex system and its constraints. I'd say it's not an interesting exercise unless you consider why a solution might not exist already, and what its trade-offs and failure modes are. Otherwise, all you're doing is throwing pudding against a wall, which can of course be fun.
That’s the whole fun part - come up with an “obvious” solution and the try to figure out the problems or risks it would cause.
For example, an obvious solution is that the switch can't be changed from "RUN" to "CUTOFF" when the throttle isn't at idle - this could be done with a mechanical detent because they're right next to each other. Simple!
But now you've introduced additional failure modes - throttle sticks wide open and the engine is vibrating and needs to be shut down - so maybe you make it that the shutdown switch can work for ONE engine at any throttle position, but if TWO get turned off, both throttles have to be off, but that introduces ...
Or you simply interlock the engine cutoff with the thrust lever position, any position other than idle prevents shutdown. This all goes through the flight computers already.
If there’s a fire or similar problem the fire handles will cut off fuel without the normal shutdown procedure, but the normal switches only need to be used at idle thrust.
I wonder if Airbus has this logic, since their philosophy is to override the pilot commands if they’d endanger the aircraft (which has its own issues of course) where’s Boeing will alert the pilots and still perform the action. I don’t have access to that information.
According to AI, Airbus places these switches on the overhead panel, so that alone would make it harder to inadvertently move them. Apparently, Airbus "protections do not extend to mechanical or FADEC‑controlled systems like the engine‑fuel shutoff valves. If you deliberately pull and flip the ENG MASTER lever to OFF, the FADEC will immediately close the LP and HP fuel valves and the engine will flame out. If you then return the lever to RUN (and you meet relight conditions), it will automatically relight."
As another commenter said the Airbus engine start/stop controls are located behind the thrust levers, and according to the A350 operations manual which I got my hands on there are two conditions required for the FADEC to command engine shut down: Run switch to off, thrust lever to idle.
So if that's correct on an Airbus aircraft you can't just switch off the engines when they're commanded to produce thrust. This also seems to be backed up by the difference in the guards for those controls in the Airbus cockpits.
The wings hosts the engine and a good portion of the fuel is quite a bit back from the nose in a big plane like 787. The engines lost power and hit just 180 knots just 4 seconds after the plan lifted off. The plane could have just easily broken up differently where the nose crashed in a different spot than where the fire would likely start.
At such a slow speed and altitude they could even have well crashed inside the airport perimeter and got a quicker/ better emergency response from the fire units at the airport.
Attempting this during takeoff or landing when the pilot monitoring is fully engaged and closely observing would be most difficult to execute .
